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(57) ABSTRACT 

A data management technique for managing accesses to data 
at a shared storage system includes a filter at the storage 
system. The filter is coupled to a configuration table, whicfr 
identifies w hich of a number of coupled host processo rs 
hav e accesses to each of the resources at the device . During 
o peration, requests received from the~ho st devices are fil- 
te red by the filter, and only those requests to resources that 
the individual' "fiost devices have privilege to acc ess are 
s ervice d. Advantageously, data security is further enhanced 
r^^authenticating_each of-the— reques ts receive d by the 
storage_svstem to verify that the host processor that is 
represented as forwarding the request is the indicated host 
processor. In addition, transfers of data between the storage 
system and the host processor may be validated t o ens ure 
that data was not^irupjtedjmHgJgg ata trans fer. 
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METHOD AND APPARATUS FOR According to another aspect of the invention, a host 

AUTHENTICATING CONNECTIONS TO A computer for use in a system including a storage device 

STORAGE SYSTEM COUPLED TO A includes a port to receive at least one expected identifier to 

NETWORK be included in at least one subsequent request for access to 

cim r* r\r? tuc ixr\/r?xrnoM 5 ^ c stora B e system and a controller to issue at least one 

0F ™ b l NVENTION rcquest to the storage systemj ^ at lcast onc rcquest 

Tliis invention relates generally to the field of information including the at least one expected identifier, 

storage devices and more particularly to a method and According to another aspect of the invention, a storage 

apparatus for managing access to data in a storage device. system includes at least one storage device apportioned into 

DESCRIPTION OF THE RELATED ART 10 a pto 1 *^ of v"l"mes.anri-an-adapteiLto interface the storage 

s ystem to a plurality o f-devJccs. the adapte r to authentic ate 

Computer systems generally mclude one or more host aJ^le^LoDe^ue^t^om^UeasLQae^Qljcvices o f the 

processors and a storage system for storing data accessed by pluralit y of devices to verify that the at least one request was 

the host processor. The storage system may include one or ^ lftH finm_ihR.«t qfjj^yj^ the adapter to 

more storage devices (e.g., disk drives) to service the storage 1S sel ectively forward t he at least one request to the at l east one 

needs of the host processor. Disk drives may include one or st0 r^e^dc Zfor^rvicin g responsive to authentic"atiOD of 

more disks of a recording media, such as a magnetic ^ at j east one reaues ^ 

recording medium or an optical recording medium. ~ T — T . c «u • ** j * 

e re According to another aspect of the invention, an adapter 

In a typical computer system configuraUon, a bus pro- ^ provided for ^ in a fe yice t0 authenticate a connection 

vides an interconnect between the host processor and the 20 between the device and a storage system. The adapter 

storage system. Hie bus operates according to a protocol, indues a data structure comprising at least one entry to 

such as the Small Component System Interconnect (SCSI) store at least one unique i deQt ifier provided by the storage 

protocol, which dictates a format of packets transferred system ^ a corner to ^us at least one request to the 

between the host processor and the storage system. As data stQrage system ^ mcludes the at least one^raique identifier 

is needed by the host processor, requests and responses are 25 so that the sto rage system can use the atkalt one un ique 

forwarded to and from the storage system over the bus. Id entifie7to aulhenticate the connection between the'device 

With the growth of networked computer systems, multiple and the sto rage syst em, 

hosts have been coupled over a network to a shared data " 

storage system. Fibre Channel is an example of a network BRIEF DESCRIPTION OF THE DRAWINGS 

that can be used to form such a configuration. Fibre Channel 30 FIGS. 1A, IB and 1C illustrate exemplary network con- 
is a network standard that allows multiple initiators to figurations in which the data management aspect of the 
communicate with multiple targets over the network, where present invention can be employed; 
the initiator and target may be any device coupled to the pj G 2 illustrates one embodiment of a packet that can be 
network. Using a network, multiple hosts are able to share distributed between devices coupled in the networks of 
access to a single storage system. One problem with cou- 35 p[Q§ -y^ 153 or ic ; 

pling multiple hosts to a shared storage system is the FIG. 3 is a block diagram illustrating exemplary compo- 

management of data access at the storage system. Because ncQts of a host processor storage system which may be 

multiple hosts have access to a common storage system, coup i cd ^ the networks of FIGS. 1A, IB or 1C, the storage 

each host may physically be able to access information that systcm induing. an ^pter having elements for filtering 

may be proprietary to the other host processors. 40 requests ^ by me host processor according to one 

Various techniques have been implemented to manage embodiment of the present invention; 

access to data at the storage system. For example, certain FIG. 4 is a block diagram of one embodiment of a 

portions or zones of memory at the storage system may be configuration data structure that may be used to store 

dedicated to one or more of the hosts. Each host is 'trusted' filtering information for use by the storage system of FIG. 3; 

to access only those portions of memory for wfcch it has 45 nG 5 ^ a block di of OQC cmbodimcnt of mteri 

privileges However such an approach is vulnerable to the data ^ bc ^ tQ ^ ^ &i ^ c 

individual actions of each of the hosts. As a result, such a Q ^ ^. 

data management method may not be sufficient to protect t_i 1 j- -n * 1 

data from unprivileged accesses. RG 6 « a block diagram ^ustraUng exemp ary compo- 

r ° 50 nents of a host processor and storage system that may be 

SUMMARY OF THE INVENTION coupled in the network of FIGS. 1A, IB or 1C, the storage 

According to one aspect of the invention, a data manage- system including logic for authenticating transactions by the 

ment method for managing access to a storage system by a host according to one embodiment of the present invention; 

device includes steps of authenticating, at the storage FIG. 7 is a flow diagram illustrating one method of 

system, that each request in a series of requests for access to 55 distributing encryption keys between a host processor and 

the storage system indicated as having been issued by the storage system of FIG. 6, so that the encryption keys can be 

device was actually issued by the device and responsive to used to authenticate the identity of the host processor; 

th e step of au tiienticating, sclectiy^v^i^ipg-cacn jequest FIGS. Sa~c are is a flow diagram illustrating one method 

that is authenticate d. of authenticating the identity of a host processor when 

According to another aspect of the invention, a method for 60 establishing a connection between the host processor and 

managing access by a de yice3j5~ a^foTa^ storage system of FIG. 6 in accordance with one embodi- 

m 9 stepl ^ recei ving, jit Ib^deyice^at.leajStjDne expected ment of the invention; 

i dentifier„tpj>ejncluded^^ FIG. 9 is a diagram illustrating exemplary components 

i ssuejl bytire devic^^^ from that may be included in an authentication table of the storage 

the^eyice!gneast onejcequej&UO-the^stoxag ejsvstem , the at 65 system of FIG. 6 and that may be used to authenticate the 

lejst^ojqe^^rjeg uest ^ludi iigJhp ,a{ least, , npe. eyp prf pH . i den- identity of host processors according to one embodiment of 

tifigr* the invention; 
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FIG. 10 is a flow diagram illustrating one method of 
performing a checksum of data transferred between an 
initiator and target in the networks of FIGS. 1A, IB and 1C 
for validating data transfers in one embodiment of the 
invention; and 

FIG. 11 is a flow diagram illustrating one method of 
validating a data transfer between an initiator and target 
using the checksum of FIG. 10 according to one embodi- 
ment of the invention. 

DESCRIPTION OF DETAILED EMBODIMENTS 

The present invention is directed to a data management 
method and apparatus for managing accesses by multiple 
devices (e.g., host processors,. file servers and the like) to 
data at a shared resource (e.g., a shared storage system). 
According to one embodiment, the shared resource selec- 
tively services req uests from th ejjcvices.fgxi^rtioDS of data 
at the shared reso urce in response to configuration data 
associated with eacFof the portions of data at the resource. 

In one embodiment, data at the shared resource is appor- 
tioned into volumes. Configuration data identifies which 
volumes of data are available foj_accessJxy_.each.of the 
devices coupled to the resource (e^g^oyer a network!) The 
s hared resource includes a filter that^elfii^ivelvribTwards a 
re quest for servicing dependmg -jmojiUhe^e^fau E oX^the 
d evice issuing the^ _ajissLanoU|^ 
ci ated with fo^vofame, ,|o wfrich acc^e^is-sottR"** The filter 
forwards only those requests for volumes that the device has 
pr ivileges {p access. Requests to volumes for which the 
device does not have privileges are not serviced. 

Filtering requests at the resource allows the control of the 
data management to be centralized in one location, rather 
than distributed throughout the network. Centralizing the 
data management control at the storage system removes the 
need to trust the hosts seeking access to the storage system 
to only access certain portions of data. 

In one embodiment of the invention, in addition to filter- 
ing requests to support data management at the resource, 
security protection may be added to further secure the data 
at the resource. Because filtering is performed in response to 
the identity of the device initiating the request, data security 
may be compromised if a device falsely represents its 
identity to gain access to the resource. In addition, data 
transfers between the device and the resource may be 
corrupted by other devices coupled (e.g., over a network) to 
the resource. In one embodiment, an authentication method 
and apparatus is provided to verify that the device that is 
represented as the device issuing the request is truly the 
device that issued the request. The authentication method 
may therefore be implemented to overcome security prob- 
lems associated with a device mis-representing its identity to 
obtain data at the resource. In another embodiment, a 
validation method and apparatus is provided to ensure that 
information, transferred between the device and the shared 
resource is not corrupted (either inadvertently or 
intentionally) during transit. 

A data management system for managing data _at a 
r esource ma yuseany_ or all of th ese.filtermg^.aumentication 
a nd v alidation techniques. One exemplary system_wherein 
the data management method and apparatusjofjlie^present 
invention-may-be-employed Js.in_a network ed compu ter 
system, whereip the devices, are^hosUproccssors^ profile 
servers^cou pled to the n etworlc.and.the.shared resource is a 
stqragesystem (e.g., a disk device storage system). It should 
be appreciated that the use of a network, host processor or 
shared disk device is not a limitation of the present 
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invention, and that such a system configuration is described 
below solely for purposes of illustration. 

In one embodiment, one or more hosts may be coupled to 
one or more storage systems using a network, with requests 

5 and responses being forwarded to and from the storage 
systems over the network according to the protocol of the 
network. In addition, each hast- and storage system may 
include one or more ports for Interfacing the tost or storage 
system to a corresponding one or more networks. As 

10 described above, in one embodiment, each storage system in 
the network includes logic for filtering received requests to 
manage data accesses to the storage system. 

One exemplary network in which the present invention 
may be employed is a Fibre Channel network, although the 

15 present invention is not limited to the use of the Fibre 
Channel network or any other partic ular network configu- 
ration. Three example Fibre Channel network configurations 
are illustrated in FIGS. 1A, IB, and 1C. FIG. 1A illustrates 
a network 10 arranged in a loop configuration, where all 

20 devices in the network are coupled together in a single loop. 
In FIG. 1A, three host processors 12, 14 and 16 are shown 
coupled to a storage system 20 by a hub 18a. Internally, the 
hub is arranged in a loop configuration. Communication 
between the devices, over the busses ISa-lSd, is performed 

25 by pass ing data p ack ets from one device to the nex t in the 
loop,. FIG. IB illustrates a network 30 arranged in a fabric 
configuration,_where.alI.the,deyices are coupled together by 
a hub 18b. Internally, the hub is arranged as a switch. 
Communication between pairs of the d evices 12, 14, 16 and 

30 20 m~tHc^tw^kJW_is_conto^ The data 

managemenT method of the present invention may be 
employed in networks arranged in the loop or fabric con- 
figurations illustrated in FIGS. lAand IB, or alternatively in 
other network or resource sharing configurations. For 

35 example, the data management aspect may be employed in 
the network illustrated in FIG. 1C. In FIG. 1C, a host/storage 
system configuration is shown where the storage system 
includes two ports, each of which interfaces the storage 
system to a different network. In FIG. 1C, a first port (Port 

40 0) is coupled to a fabric network 30 and a second port (Port 
1) is coupled, to a loop network 10. 

As mentioned above, the data mana gement as pect of the 
pr esent invention confi g ures vo lumcs.of, data. at^the storage 
system 20_acccrding_to^ the(^g^Lg L tnc host de vices 

45 cou pleH to the stora ge system. The configurati on data tha t is 
used to manage th e allocation o f volumes tpjflifferept hosts 
may be"pfovided,Jor^example, b v a system administrator of 
theJ^etworlcTTlie system administrator Jracks the_host 
devices that are coupled to the network and the available 

50 volumes at the storage system. As a new host device en ters 
t he_network , _the system administrator^allpcg t&S -Agraffe 
system yplumes to the host. The number of volumes allo- 
cated to the host may be based on a requested number of 
volumes, or alternatively may be based on historical data 

55 requirements of the host. The s ystem adm i nistrator ma y be 
i mplemented in software, executing on onej)f the devic es or 
st orage systems in the network, and mayjucJudej^graphical 
use r interface to en able^u^rstpjaonitor^the availability and 
assignment of volumes to different hosts in the network. The 

60 present invention is not limited-to-aay-partieular implemen- 
tation of the system administration. 

Generally, as each^yice en ters the network it queries the 
network to id entify theother devicesj^pjedtp the network. 
devicejh atre s^ondsto Jhe^quejy^mrnsjane^or more 

65 identifiers Jorjth e^ device . For example, the identifier may 
include the wo rld yn'de nanjgj fWWN) assigned to the device 
by the manufacturer of the adapter board using a naming 
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convention. The identifier may also include a source iden- for the host at the storage system. The configuration data 

tifier (ID). Bo th are unique identifiers for the device, how- i dentifies the portions of the storage system that are acc es- 

eyerthe spurc^identifiexis generally a shorter identifier than s ible by the host . Thus, the configuration data can be used by 

the_W5#N.. The source identifier may identify the device filter logic at the storage system to selectively service the 

(e.g., a host processor) and the port of the_deyice_that is 5 host's reque st. Exemplary components of a host and storage 

coupled to the network. Thus, if multiple~ports of the system that may be used to implement the method and 

particular-device-are-coupled _to_the_netwprk,.an_identifier apparatus for filtering requ ests based on a host identifier w ill 

mayb^jreturned.for-eachjx^ query operation is n ow be described with regard to FIGS. 3 -5. 

complete, each of the devices has knowledge of the other As described above, in one embodiment of the invention, 

devices coupled in the network. Once each device has 10 the storage system determines whether a received request 

knowledge of the other devices in the network, this infor- s hould he service d based on the configuration data , A copy 

mation can be used to exchange data between devices. 0 f the configure tion^ateHBay be stored in a memory at the 

Requests and responses to and from the storage system 20 storags_^tem/^ri ojdic^llv.l he configuration data may be 

are forwarded over the networks 10 and 30 according to the ugd|Jgd b yjhe sys*eai-adrrmiistrator as hosts enter and exit 

network protocol. The Fibre Channel interconnect is capable 1S the__netffiarJc. The storage system a|asL _ingludes logic fo r 

of carrying multiple interface command sets. Accordingly, c ommunicating over the network and filtering logic, coup led 

the devices that are coupled together using the Fibre Chan- t o the memory ; that_stores the_ confi guration data, for, de ter- 

nel network may communicate using any of a number of mirimp whether ajcequeslreceived from th enetwork should 

higher level protocols including Internet Protocol (IP), be^ejarieed. The above-descri bed d ata management sy stem 

Small Component System Interconnect (SCSI) protocol or 20 may be implementedUB^^axjeJ^ 

any of a number of other protocols provided that the i nvention is not limited to an y particular imp lementation, 

interfacing devices have knowledge of the type of protocol However, for pu rposes of clarit y, one embodiment of a host 

that is being used on the particular Fibre Channel intercon- processor and"sforage system capable of providing this data 

nect. Certain types of devices have historically been management functionality is illustrated in FIG. 3. 

designed to communicate using certain protocols. For 25 FIG. 3 illustrates a host processor 12 coupled to a storage 

example, host processor devices have historically commu- system 20 using a network 21. The network 21 may be, for 

nicated with storage systems using the SCSI protocol. Thus, example, a Fibre Channel network arranged in any of the 

devices coupled using the Fibre Channel network may configurations illustrated in FIGS. 1A-1C. The host proces- 

communicate with each other using the same protocols that sor 12 may be a multi-processing unit, including one or more 

have historically been used. As a result, existing interfaces 30 central processing units such as CPU 40 coupled by a local 

of the devices require little re-design to couple to the Fibre bus 43 to a memory 42. One or more host bus adapters 

Channel network. (HBAs) 45 and 45a are coupled between the bus 43 and the 

Tunneling techniques typically are used to convert pack- network 21. 

ets of any type of protocol into packets that may be propa- Each host bus adapter (HBA) 45 and 45a operates to 

gated on the Fibre Channel network. Using tunneling, one connect the host processor 12 to the network. The HBAs 45 

packet, formatted according to a first protocol, is enveloped anc j 45a translate data received from the CPU 40 into the 

in a second packet formatted according to the Fibre Channel format dictated by the protocol of the network. In addition, 

network protocol. Thus, a SCSI packet may be enveloped in the HBAs 45 and 45a translate data received from the 

a Fibre Channel packet by a host processor or storage system netofok in packet format into data in a format usableby the 

for transmission on a Fibre Channel network. One example CPU 40. ~^ 

of a packet formatted according to a SCSI protocol and Xhe ^ bus ada ter ^ implemented using a com- 

enveloped in a Fibre Channel packet is illustrated in FIG. 2. bination of hardware re side^5toe,HBA and jonveTloft- 

In FIG. 2, a Fibre Channel packet 50 includes a header ware stored in the HBA or in the memory 42. Alternatively, 

p ortion 55 and a rjavIo acUmrlion ^ . hftaHr.r porh'nn 4S me host bus adapter may be implemented either entirely in 

includes a^source ID field 52J a 5estinaUon ID field j 3 and hardware or software. In one embodiment, the HBA 45 

a lengthfiejd54. The source ID field 52 identifies a device includes a processor 41 coupled to a storage system 49. The 

in"the network th at jnitiated the transmission of the p acket processor 41 controls the flow and format of data into and 

50/ The destination ID field 53 identifies a target device for out 0 f the HBA 45. The memory 49 is used to provide 

receiv ing the packet in ^the^n etwork. The length field 54 5Q temporary storage of data as it is transferred to and from the 

idendfie^a number of bytes in tte pacfet. In adaiBbn, other network. The HBA generates packets for transmission over 

fieiaTdefinedln the Fibre Channel specification also may be the network 21, with each packet including a source ID field 

included in the header, although th ese fields are omit ted identifying the particular HBA. B ecause multiple HBA s 

he rein for clarit y, purposes. may be included at each host , mult iple source IDs may~be 

The source ID field 52 and destination ID field 53 are used 5S associated with the same host , 

in the exemplary system of FIG. 1C to identify particular The storage system 20 includes storage devices 3Ha-3Hd 

host processors and the storage system. When a host issues which may include one or more disk devices. Access to the 

^jwjtip^ p a ^t tn rhP ctQflifM Qy^tem, the source ID storage devices 38a-38d is controlled through the use of 

i dentifies the host and the destination ID identifies the disk adapters 36a-36d which may be implemented using a 

storage^system. In accordance with.one.embodiment of the 60 programmed processor or custom hardware design. In the 

invention, thej>torage system uses the source ID field 5 2 of embodiment illustrated in FIG. 3, a disk adapter is provided 

the plcl^ficu^ identifying; which for each storage device 38fl-3&f, although alternatively a 

o f the vMupes^ol^jOhe respective host has privileg e to disk adapter may be coupled to more than one storage 

access. device. In addition, disk adapters may include secondary 

As mentioned above, the source ID field for a host 65 connections to the storage devices 38a-3Hd of another disk 

accessin gjhe storage system 20 can be used tfl irientify _the adapter 36a— 3 (W to permit recovery from failure of one disk 

host that issued the request to i ndex^nto confiscation data adapter by shifting its functions to the. second disk adapter. 
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The storage devices 38a-38rf are apportioned into volume HBA initiates a connection with the storage system 20 over 

sets. One or more of the volume sets may be made available one of its ports, filtering information is copied from the filter 

to one or more of the HBAs 45, 45a or the host processor 12. table 76 in the configuration database 32 to the appropriate 

In one embodiment, references to the volumes in the storage e^ry in the transient filter table 84. The filtering information 

devices 38a-38d by the HBAs are performed using logical 5 may delude the source ID of the HBA logged into the port, 

unit numbers (LUNs). There need not be a one-to^ne a fla S indicating whether the volumes associated with this 

correspondence between the logical unit numbers provided « &*™*> ^i 1 * LUN map for die HBA logged into 

by hosts and the physical addresses of the disk devices. *? P°£ wher « me t LUN 15 °° pied from mter table 

76 m the configuration database. 

A configuration database > 32 1 (FIG. 3) stores information fa Qne embodiment> me conation data in the transient 

regarding which ones of the HBAs have access to which w ^ table84is accessed for each request The addressof the 

ones of the volumes. As discussed above, in one embodi- request is provided in Bus/Target/LUN format, where the 

ment information in the configuration database is received Bus p^ion indicates the Fibre Channel network address of 

from the system administrator and is periodically updated as the storage system 20, the Target portion indicates the 

the configuration of the network changes. storage system port address, and the LUN represents the 

An example of the types of data that may be stored in the 15 volume address of the request. The address is compared with 

configuration database 32 include a history table 69. The the entry in the transient filter table 84 which includes the 

history table is apportioned into one block for each of the LUN map aassociated with the HBA. If the bit in the LUN 

ports of the storage system. Each block in the history table map associated with the addressed LUN indicates that the 

includes a list of those hosts that have queried the port as ™Ahas access to the ; LUN, the request is forwarded to the 

they entered the network. The identification information for 20 disk adapters 36a-36rf for servicing. If not, the request is 

each host may include the WWN name of the host, the lg ^ r . c „ t , , 0 „ . , J 

source ID of the host, or other aliases of the host. This ™ e a5 ? of ^ ter table 84 15 rel * ted t0 

identification information may be used when the host logs number of ports provided at the storage system, the number 

into the storage system to match an identifier of the host wftb ° f U * M ^PP° rted * each P° rt and j he number of LUNs in 

configuration data for the host. 25 svstem - An cxampk coiifi^iration of the storage 

6 m system 20 may include sixteen ports for accessing 4096 

The configuration database 32 may also include a header LUNs, with each port capable of supporting accesses by 

portion 70 for mapping the HBAs to the available ports at thirty two different HBAs. Thus, when the transient filter 

the storage system. A volume allocation portion 72 may be table 84 is large, if it was stored in a single large memory the 

provided for allocating logical volumes of data at the storage 3Q access time for each I/O request may be long, 

system 20 to different HBAs. A mapping portion 74 is [ n onc embodiment, to increase the response time perfor- 

provided for mapping LUNs to physical addresses of the mance of the storage system 20, the transient filter table 84 

disks. In addition, a filter table 76 is provided for controlling jg arranged to allow for quick retrieval of the access infor- 

which HBAs have access to which of the LUNs. The filter mation for each HBA. Referring now to FIG. 5, one illus- 

table 76 is generated using the volume allocation and 35 trative configuration of the transient filter table is shown, 

mapping information and includes a record for each HBA jh e transient filter table 84 is shown to include an array of 

coupled any of the ports of the storage system. An example records, such as record 400. One column of records is 

implementation of the filter table 76 is; provided in FIG. 4. provided for each LUN in the storage system numbered in 

Each record 76a-76n includes the WWN associated with the FIG. 5 as LUN0 to LUNx, where x+1 is the number of LUNs 

HBA, a flag indicating whether the volumes allocated in this ^ in the storage system. One row of records is provided for 

entry are shared, and a LUN map identifing which of the cac h port at the storage system. Each record includes a 

logical volumes the HBA may access. In one embodiment, bitmap 402. The bitmap includes a number of bits corre- 

the LUN map is in the form of a bitmask with one bit sending tn the maxim um number of devices (HBAs) that 

allocated to each LUN in the storage system. In one can access each port. In FIG. 5, these bits are indicated as 

embodiment, a bit in the bitmask is set to indicate that the 4S D2 . . . Dn, where n is the maximum number of devices 

associated HBA indicated by the WWN has access to the that may be coupled to any port. 

corresponding LUN, although alternatively the bit may be During operation, as an I/O request is received at the 

cleared to indicate access. In addition, alternative embodi- storage system 20, the address of the I/O r e quest is co m- 

ments wherein the available LUNs are indicated differently pared with the data in the transient filter tableTflTT he 

may also be used. 50 address includes an identifier-Of the HBA which initiated the 

The storage system 20 (FIG. 3) also includes a filter and reque^andi injadd ress to tjte storage system rjoj tion that t he 

adapter unit 34. The filter and adapter unit 34 translates host .wants Jo_access. This address includes, generally , a 

packets received from the network into data blocks and Bus/Target/LUN co mbination of fi elds. The bus field is the 

control for forwarding to the disk adapters 36a-36rf. In base addres sjaf the stora g e system 20 on the network, the 

addition, the filter and adapter unit 34 performs a filtering ss target is jhe source ID o fthe port of the storage system to 

function to ensure that only those HBAs with privileges are w hicTTSie jequest is directed, w hile the LUN indicates the 

able to access volumes. Thus, rather than trusting that the lo gical unit addressee! by the reques t. The target in formation 

HBAs will only access those volumes which they have been (rowland LIJNjnfo rmation (co lumn) are used to index i nto 

assigned, the filter and adapter unit 34 controls accesses to t he transient filter table to obtain one of the record s. The 

the disks by filtering out non-privileged requests. 60 sour ceJD for the requesting device (e.g., HBA 45 in FIG. 3) 

In one embodiment, the filter and adapter unit 34 includes i s then usedjojselect one of the bits in the bitmap 402 of t he 

a processor 80 coupled to a memory 83, The processor is record jO O selected by the Bus/Ta rge VLUN address to 

used to control the transmission and translation of data ide ntify w£e iher_or not the bit is se tlh the mappin g. If the 

between the storage system 20 and the network 21. The bitjis set in the nap pi ng, then the request is forwarded to the 

memory 83 is used to store a transient filter table 84. The 65 disks for servicing. If not, the request is dropped, 

transient filter table is apportioned into a number of tables, The transient filter table 84 may be stored in memory, as 

one for each port of the storage system. Each time that an illustrated in FIG. 3, or alternatively implemented in hard- 
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ware. While the configuration of the transient database 
described above provides one method of accessing HBA and 
LUN mapping information, alternative configurations may 
also be used. The present invention is not limited to this 
implementation. Rather, any configuration database arrange- 
ment that allows mapping data to be obtained from the 
database using a source identifier and a resource address 
may be used. 

Accordingly, a data management system that reserves 
volumes of data for host processors based on host identifiers 
has been described. In one embodiment, the data manage- 
ment system is, augmented to add security protection by 
authenticating each request to verify that it was truly sent by 
the host indicated by the host identifier received at the 
storage system 20. Authentication of the connections to the 
storage system 20 secures the data volumes allocated to eacb 
of the host processors by verifying that the host requesting 
a data volume is truly the host indicated in the source ID of 
the request packet. Simply relying on the source identifier of 
the host processor may not be a sufficient measure of 
protection. In some insecure environments, a processor may 
issue a false source identifier in an attempt to access privi- 
leged data of another host. Authentication thus verifies that 
the host processor is who it claims to be, and therefore 
should be allowed access to the data. 

In one embodiment, to support the authentication of host 
requests, the storage system issues a number of unique, 
expected identifiers to each HBA of each host device prior 
to the initiation of transactions by the host device. The 
storage system maintains a copy of the expected identifiers. 
When the HBA associated with the host device initiates a 
series of transactions, it forwards the expected identifiers 
that were received from the storage system back to the 
storage system. The storage system compares each received 
identifier against the expected identifier. Because the storage 
system only forwarded the identifiers to the particular HBA 
associated with the host, if the correct identifier is received 
the storage system can verify that, in fact, the request was 
issued from the indicated host. In one embodiment, the level 
of security protection is further enhanced by using a random 
number for each identifier. In another embodiment, an 
encryption key, known only to the host and the storage 
system, is used to encrypt the identifier before it is sent to the 
storage system. The storage system may then decrypt the 
identifier using the encryption key. Encrypting the identifier 
prevents other devices that are coupled to the network from 
obtaining the identifier and gaining access to privileged data. 
Thus, a two-tiered level of authentication is provided, since 
each transaction has a unique identifier, known only to the 
issuing host, and the identifier is encrypted using a unique 
access key known only to the HBA at that host. 

In one embodiment, the identifier information is trans- 
ferred between the devices on the network (e.g., the host and 
the storage system 20) using selected fields of the packet. 
Referring again to the example packet of FIG. 2, illustrated 
in the payload portion 160 of the packet 50 are some of the 
fields that are used to communicate according to the SCSI 
protocol. These fields include a source session ID 162, a 
destination session ID 164 and a data field 65. According to 
the SCSI protocol, the source session ID and destination 
session ID are used to track an order of transactions between 
an initiating device and a target. The SCSI protocol allows 
a number of transactions to be simultaneously outstanding 
between an initiating device and a target device. For 
example, a host initiator may issue a number of I/O requests 
to different volumes in a target storage system. Depending 
upon the accessibility of each of the volumes, the order in 
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which the responses to the requests are returned to the host 
may differ from the order of the issued requests. The session 
IDs are used to align requests with responses at the host. The 
session IDs provided for each transaction may be arbitrary 

5 numbers as long as they are unique across a given time 
period. Because the session ID may be any arbitrary number, 
in one embodiment the session ID fields are used to transfer 
unique identifier information for each transaction. 
The above-described authentication method may be 

10 implemented in a variety of ways and the present invention 
is not limited to any particular implementation. However, for 
purposes of illustration, an embodiment of a host processor 
312 and storage system 320 including components for 
providing the above-described authentication functionality 

15 is shown in FIG. 6. In FIG. 6, the host bus adapter 345 stores 
in its memory 349 a data structure 60. The data structure 60 
includes, for each storage system 320 coupled to the HBA, 
a public key 61, a private key 62, an access key 63, and a list 
64 of one or more random numbers. Each of the keys is a 

20 field of bits which may be used to encrypt and decrypt data 
using techniques known to those of skill in the art. Encryp- 
tion and decryption are performed by applying the bit values 
of the keys to bit values of data using logical operations 
associated with a selected encryption algorithm. The access 

25 key is a key that is dedicated to encrypting and decrypting 
authentication data transferred between the HBA and the 
associated storage system. In one embodiment, an initial 
value for the access key 64 is obtained using the public and 
private keys 62 and 63, respectively, as will be described in 

3 q more detail below. 

To support authentication, the storage system 320 
includes a filter and adapter unit 334 that may include each 
of the features described with regard to FIG. 3, as well as a 
number of other components to support authentication. The 

35 filter and adapter unit 334 includes a random number 
generator 82 which is used to provide random numbers used 
in the authentication process for each of the HBAs coupled 
to the storage system. Coupled to the random number 
generator 82 is an encrypter/decrypter 85 and a comparator 

40 87. The transient filter table 84, authentication table 86, 
random number generator 82, encrypter/decrypter 85 and 
comparator 87 are used in conjunction to authenticate con- 
nections to the storage system 20 using a method that will be 
described in more detail below. 

45 As described above, the authentication method involves 
the transfer of identifiers between the host 312 and the 
storage system 320 over the network 21. In one 
embodiment, the identifiers are encrypted using an access 
key stored at the host 312 and at the storage system 320, 

50 although this is not a requirement of the invention. FIG. 7 
illustrates one method of distributing an access key to the 
host 312 and the storage system 320. 

Access keys may be provided in a number of ways, 
including allocating access keys to the storage system and 

55 host processors in advance of their entry to the network. 
Alternatively, an access key may be obtained after the host 
processor has entered the network in a manner described 
with regard to the data flow diagram of FIG. 7. In FIG. 7, 
operations performed by the HBA 345 (FIG. 6) are illus- 

60 trated on the left hand side of the figure, operations per- 
formed by the storage system 320 are illustrated on the right 
hand side of the figure, and data flows are illustrated 
between the two sides. At step 100, the HBA 345 (FIG. 6) 
generates a public and private key pair. This can be done, for 

65 example, using known encryption software executing on the 
CPU 40. Hie public and private key pair is dedicated to the 
HBA and is not accessible by any other device coupled to the 



06/05/2003, EAST Version: 1.03.0002 



US 6,263 : 

11 

network 21 (FIG. 6). Data which is encrypted by the public 
key 61 can only be decrypted using the private key 62, while 
data that is encrypted by the private key 62 can only be 
decrypted using the public key 61. 

At step 102, the HB A 345 forwards the public key 61 over 5 
to the storage system 320. In sitep 101, the storage system 
320 loops, waiting for the key. When the storage system 320 
receives the public key at step 101, it proceeds to step 103. 
In step 103, using the public key 61, the storage system 320 
encrypts an access key for the HBA 345, forwards this 10 
encrypted access key 67 back to the HBA 345 over the 
network 21 (FIG. 6) and terminates. Because the HBA 345 
is the only device in the network that has the private key 62 
that must be used to decrypt any message encrypted with the 
public key, other devices that are monitoring the transactions 15 
on the network will not be able to decipher the encrypted 
access key 67 forwarded by the storage system 320. When 
it is determined at step 105 that the HBA 345 has received 
the encrypted access key 67, the process running on the 
HBA 345 proceeds to step 106, wherein the HBA 345 2 o 
decodes the encrypted access key using the private key 62. 
In addition, at step 106, the HBA 345 stores the access key 
in data structure 60 with the public key 61 and private key 
62 for later communications with the storage system 320. 

Once the host processor has received the access key, it 25 
may begin the process of issuing I/O requests to the storage 
system 320. The processes by which a host processor issues 
an I/O request, and by which an I/O request is serviced by 
the storage system 320 in accordance with one embodiment 
of the invention will now be described with regard to the 30 
flow diagrams of FIGS. 8a-6 and FIG. 9. 

Io FIG. 8a, a flow diagram is provided for illustrating one 
embodiment of a method that may be performed to establish 
a connection between the HBA 345 and the storage system 
320. In FIG. 8a, operations performed by the HBA 345 arc 35 
indicated on the left hand side of the figure, operations 
performed by the storage system 320 are indicated on the 
right hand side of the figure, and data flows are shown in 
between. At step 110, the HBA 345 arbitrates for access to 
the storage system 320. At step 120, when the HBA 345 has 40 
won arbitration, it issues a control data block 112 to the 
storage system 320. The control data block 112 includes the 
source ID of the HBA 345 and indicates that the HBA 
requests to be serviced by the storage system 320. When it 
is determined at step 121 at the storage system 320 that there 4s 
is an outstanding request from the HBA, the method pro- 
ceeds to step 122 wherein in response to the host's request, 
the storage system 320 forwards a unique identifier 114 to 
the HBA 345. In one embodiment, the identifier is a random 
number provided in the destination session ID 64 of the 50 
pay load portion 60 of the packet 50 as illustrated in FIG. 2. 
At step 122a, after the storage system has forwarded the 
random number to the HBA, the storage system 320 
encrypts the random number 114 using the access key and 
stores the encrypted random number for later comparison. 55 

When it is determined at step 123 that the HBA has 
received the random number from the storage system 320, at 
step 124 the HBA encrypts the random number 114 using the 
access key 63 (obtained using the process of FIG. 7), and 
returns the random number to the storage system 320 as an 60 
encrypted number 125. When it is determined at step 126 
that the storage system 320 has received a response, at step 
127 the storage system 320 compares the received random 
number 125 against the previously encrypted and locally 
stored version of the random number generated at step 122. 65 
The compare status 128 is forwarded to the HBA. If there is 
not a match, this indicates to the storage system that the host 
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does not have the correct access key, and/or that the host 
does not know the correct random number and the connec- 
tion between the host processor and the storage system is not 
authenticated. The HBA is not permitted to access data at the 
storage system 320, and the transaction is complete. If there 
is a match, then the host has the correct access key, and the 
correct random number and connection between the HBA 
and the storage system is authenticated. 

Once the connection between the HBA and the storage 
system has been authenticated, the HBA may send an I/O 
request to the storage system 320 for servicing. In one 
embodiment of the invention, every I/O transaction is 
authenticated using a different identifier (e.g. random 
number). Because the SCSI protocol allows for multiple I/O 
requests from an HBA to be outstanding at any given time, 
the HBA keeps track of the outstanding I/O requests using 
a technique referred to as command tag queuing. Each I/O 
request is assigned a unique tag, using the source session ID 
field 62 (FIG. 2). When a response is returned from the 
storage system, the tag is included in the session ID field of 
the response so that the response data may be aligned with 
the request using the tag. 

The maximum number of I/O requests that an HBA may 
have outstanding at any instant in time is determined accord- 
ing to the command tag queuing protocol. Because each I/O 
request is assigned a unique identifier, each HBA should 
always include a sufficient number of identifiers to ensure 
that an identifier can be provided for each outstanding 
request Therefore, according to one embodiment, as each 
device logs into the storage system a list of unique identifiers 
is forwarded to the device. The number of identifiers in the 
list corresponds to the maximum number of I/O requests 
capable of being outstanding at the device, although the 
present invention is not limited to this number. As each 
device issues a request to the storage system, one of the 
identifiers is used from the list. Each time that the storage 
system responds to a request, it returns a new identifier 
which is stored at the bottom of the list Identifiers are 
selected in first in first out order from the list As a result, a 
constant number of identifiers is maintained at the device to 
satisfy command tag queuing protocols. 

One embodiment of a method of providing the identifiers 
to the host is described below. Because a unique identifier or 
random number will be associated with each I/O request, at 
the start of an I/O sequence, the HBA requests a number of 
random numbers equal to the maximum number of permis- 
sible outstanding I/O requests. The list of random numbers 
is stored as list 64 in data structure 60 (FIG. 6) of the HBA 
345 and is additionally stored in the authentication table 86 
of the filter and adapter unit 334 (FIG. 6) of the storage 
system 320. 

Referring now briefly to FIG. 9, an example of elements 
thajj nay be stored in the authentication table 86 (FIG. 6Vi s 
shown . For_each of the HBAsJha t is cou pled to the sto rage 
systejp ^320, a da ta^structure.-89>is provided. The data 
structure may include a public keyCftgg) whi ch is a c opy of 
t he public keylTfohaLwas provided by the HBA to oblauT the 
initial-acces s key tiST ln addition, the data structure may 
mcIude r an.accessJke yj§95 ) w hich is a copy of the access k ey 
63 stpje d_atJHBA3j !foIn one embodiment, each 01 the data 
structures further in cludes a list of random numbe rs. The 
ra ndom number in each entry of the data stmcture <g9c* 
corresponds to a random number that will be used i o 
a uthenticate an assoq i^gflJren sactinn . How the random 
number is used to authenticate a transaction is described in 
more detail with regard to FIG. Sb. 

In FIG. 8b, at step 184, the HBA issues a control data 
block 185 to the storage system 320. The control data block 
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185 includes control for notifying the storage system 320 
that t he HBA is gQing.to_ jnitiate an I/O transaction, and t hat 
the_con nection has been authenticated . When it is det er- 
mined'Mstep 1fl6 that, a request Jias been received , the 
storage systern_32Q ^decodes..me„reo uest.„apd at step 1 87 
forwards_a.packet 188includin ff a listof random numbers j o 
the H BA3 45. At step 187a, the, storage ^Y^e m_320 als o 
e Tfcrypts the first rnnHnrn number usin g the.access ke^ and 
sto res, jhe encry pted number lpcallv_.fQr _ later_, com parison 
withjhe encrypted number received in a request from the 
HBA. ~~ 

When it is determined at step 189 that the HBA has 
received the packet 188, at step 190 the HBA 345 checks to 
determine whether there is an outstanding I/O request. If so, 
at step 192, the HBA 345 encrygts the first random num ber 
using jhe access ke y,_s tored in field 63 of the data structu re 
60. T heHBA3S5ien inserts the encr ypted random number 
i n the source session ID field of the I/O request packet. Ji nd 
forwards-theJ/Q-i equest packet 194 to the storage system 
320.- 

When it is determined at step 195 at the storage system 
320 that an I/O request packet has been received, at step 196 
the storage system 320 compares the en crypted random 
number r e ceived in the^source session ll> field of th e I/O 
re quest-pack&t-194 ag ainst the encrypt ed random number 
genera ted at step lyr Altemativelv, the storage system 20 25 
may simply decrypt the receiy.e d_random num be r and com- 
pare it against the expected Tanaom number, if there is a 
matc£jhe storage system izu services the I/O request, and 
forwa rds a response packet 197 back to t he HBA 345. The 
r esponse packet includes any data requested by the HB A. 
and a new random numbe r which will be used once the 
nun ^TS^rrrtrJglisT ^ in one embodiment, 

the new random number is provided in the destinat ion 
session ID field , while the previous, encrypted random 
number is returned in the so urce ID fid d'for "track ing 
purposes, . althou g h the use of specific fields is not a limi ta- 
ti on of the present inventio n. 

When it has been determined at step 198 that a response 
has been received from the storage system 320, the HBA 
retrieves the non-encrypted random number from the session 
ID fields of the packet 197 and stores the random number in 
the data structure 60. T he process then proceeds to.step 190, 
w hereJthe HBAinitiates^e T hext I/O request, using the nex t 
ra ndom numberA>ra , ft e ^ li$ 64,e^cjypjed 

ny'ng th e access,key.| 

Th us, a method is p rqyj de<l jyhe^ 45 
u sed to authenticate Jthost at a storage^sy slegt^th'ough the 
me thod h asbeendescribed-Usi pg random numbers , it should 
be understood that this is not a requirement of the invention, 
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The above techniques may be used to verify that a 
connection between an initiator and a target is authorized. En 
another embodiment, techniques are also used to ensure that 
the data that is received at the target is the data that was sent 
by the initiator. Accordingly, further security may be 
obtained by applying validation methods to ensure that 
commands and data are not corrupted during a transfer from 
the initiator to the target. The validation method may be 
provided to preclude other devices that are coupled to the 
network from interfering with transactions between the 
initiator and the target 

According to another aspect of the invention, a method for 
validating a data transfer between a source and a target over 
the network includes the step of maintaining, at both the 
target and the initiator, a digital signature of the transfer. The 
digital signature is in the form of a checksum. Each byte of 
data that is transferred between a target and an initiator is 
combined with the previous bytes of the transfer using a 
hashing function to form the checksum. The hashing func- 
tion may be, for example, an exclusive OR function, or some 
derivative thereof. The data included in the signature may 
include only that data forwarded by the initiator to the target, 
only that data forwarded from the target to the initiator, or 
a combination thereof. 

Referring now to FIG. 10, a flow diagram of one embodi- 
ment of a method for validating a data transfer between an 
initiator and a target is shown. The flow diagram is similar 
to that described with regard to FIG. 8£\ but includes steps 
for validating the data transfer. At step 200, it is determined 
at the initiator whether or not there are any I/O requests. If 
so, at step 202, the initiator encrypts the random number 
associated with the transaction and forwards the I/O request 
203, with the encrypted random number in the source 
session ID, to the target. When it is determined at step 204 
35 that the target received the request, at step 205 the target 
compares the received encrypted number against a stored 
encrypted expected random to determine a match. If there is 
no match, the target does not respond. If there is a match, at 
step 206 the target forwards a new encrypted random 
number and response data to the target. Also, at step 206, the 
target hashes the response data into the existing checksum to 
provide a new checksum to build the digital signature of the 
data transfer. The response 207 is received at the initiator in 
step 208. At step 209, the initiator also hashes the response 
data into the existing checksum to provide a new checksum 
to build the digital signature of the data transfer. The process 
of issuing I/O requests and generating checksums continues 
for the number of requests in the initiator/target connection. 
andJh at an resequence of numbers thaLdoes„not,include a When it is determined at step 200 that there are no more 
r eadilv_discernable pattern may alternatively , be used. A s 50 requests, the process proceeds to the validation phase in step 
discu ssed aboye r __ more than one HBA may be simul ta- 210, illustrated in FIG. 11. 

ne 61IsI y^^^ecled_to_the_stor,age^ sysle m 320. Thus, as At step 210, the initiator encrypts the checksum using the 
ide ntifiej^re^istnto access key, and forwards the encrypted checksum 212 to the 

will sinSarlyJje distributed amon g the_ya xiety-of HBAs that target. The target receives the encrypted checksum, at step 
are coupled to the storage system 320, thereby making the 55 214. At step 216, the target decrypts the checksum and at 
n umber distribution_appear even more random and B acco rd- step 218 the target compares the decrypted checksum with 
inglY_ rnore„secure . In addition, although encryption tech- the checksum generated by the target. The target sends a 
niques have been described, it is not a requiremenLoLthe status packet 220 to the initiator indicating whether or not 
in vention that identifiers be encrypted prior to transfer. the checksums matched. If it is determined at step 222 at the 
Alternatively, an authentication technique may be us ed 60 transaction was valid (i.e, no data was corrupted), then the 
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which _d^^_not_m clude„ide ntifiejs JfojLjeacti reouesTbu t 
encr ypts the entire request .using Jhe access key. It is a lso 
envisioned that a different access key may be provided for 
each transaction. The present invention may incorporate any 
combination of these authentication techniques and is there- 
fore not limited to the specific embodiments discussed 
above. 
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connection between the initiator and the target is completed. 
If the status 220 indicates that the transaction was not valid 
and that data was corrupted, then the initiator re-establishes 
the connection with the target and repeats the data transac- 
tion. 

Thus, a data management method and apparatus has been 
described that provides three levels of data management. 
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Filtering is provided to ensure that each host only accesses warding a new expected identifier to the device for a 

volumes of data for which it has privileges. Security may be subsequent request. 

incorporated using authentication methods to verify that 4. The method according to claim 2, wherein the storage 

each request was truly issued by the host indicated in the system and the device each stores an encryption access key, 
identifier of the request. Finally, validation may be provided 5 ^ wherein the step of authentication further comprises a 

to ensure that data is not corrupted during transit A system ste P 

using the data management method and apparatus of the comparing an encrypted identifier received at the storage 

present invention may incorporate one or more of these system with an expected identifier at the storage system 

levels of data management independently, and thus the to verif y mat ^ de yj ce ^ at me re ^ uest has the 

present invention is not limited to a system including all the 10 ac^ key and me identifier 

j j * j -uju ci. 5. The method according claim 4, wherein the encrypted 

recited data management techniques described above. Such .\ . . A . ° u , . ' ; v 

* ° 4 ■ j • a — ~i identifier is encrypted by the device using the encryption 

a data management system provides increased control over « . f y P . u . J P., if 

& , ' *_ * i_ v *l access key prior to receipt or. the encrypted identifier by the 

data accesses by users at a host processor by hmitmg the g ^ ^ wherein ^ ^ of authentic ^ 

data capable of being accessed by the host processor. Thus, includes ±c 0 f encrypting the expected identifier 

while users at a host processor may be capable of accessing 15 at tbe storage device me encryption access key prior 

all of the data allocated to the host processor (depending to comparing the encrypted identifier with the expected 

upon the privileges associated with the user), neither the identifier. 

users or even the system administrator with the highest 6. The method according to claim 4, wherein the 

privilege at the host processor is capable of accessing data encrypted identifier is encrypted by the device using the 
that is not allocated to the host by the storage system, 20 encryption access key prior to receipt of the encrypted 

regardless of the privileges of the user on the host. identifier by the storage system, and wherein the step of 

Although the above discussion relates to an exemplary authenticating further includes the step of decrypting the 

system wherein a host gains access to data at a storage expected identifier at the storage device using the encryption 

system, the above described methods may be applied to any acccss kcv P^or to comparing the encrypted identifier with 

system wherein a resource is shared by multiple devices. 25 the expected identifier. , . „ ^ . , , . 

Such systems include, but are not limited to any type of The method according to claim 3, wherein the device 

storage system including disk devices, tape devices, file * nd the stor ^ system commumcate accordmg to the SmaU 

servers and the like Component System Interconnect (SCSI) protocol, and 

. ' , „ „ , . . . wherein the step of selectively servicing the request includes 

H^tacrib^ a step of forwardmg me new expects identifier in a session 

detail, various modifications and improvements will readily identifier fiekJ of a ket in ^ SCSI tocoL 

occur to those skilled in the art Such modifications and g ^ method accordmg to claim 2 , wherein the storage 

improvements are mtended to be : within the spirit and scope fc apportioned int0 a plurality of volumeSj and 

of the invention Accordingly, the foregoing descnpUon is wherein a of deyices are led tQ the stQ 

by way of example only, and is not intended as lumbng The m b m interconnect, and wherein the method further 

invention is limited only as defined by the following claims com prises a step of • 

an ^J c ^equivalente thereto. ^ a wnfiguration database , configuration infor- 

i a 15 011111 ^ . mation for each one of the plurality of devices that has 

1. A data management method for managing access to a access ^ ^ e ^ ^ tion ^ 

storage system by a device, tne metnod compnsmg steps ot: mdicating of me plurality of devices is autho- 

transmitting firom the storage system, to the at least one of rized to acccss which ones of a p^^ty of mc volumes 

the plurality of devices, at least one expected identifier of data at me storage systcm . 

to be included in at least one subsequent request issued 9 ^ method to claim 8> comprising a 

by the at least one of the plurality of devices to the &tep of storing ^ a toMe> for each one of the plurality of 
storage system to indicate that the at least one request 45 devices> a ^ of tbe expected identifiers assigned to the 

has been issued by the at least one of the plurality of associated one of the plurality of devices, 

devices; and 10 metno d according to claim 2, wherein the method 

receiving at the storage system, from the at least one of the further comprises a step of generating a random number to 

plurality of devices, at least one request including the provide at least one of the expected identifiers, 

at least one expected identifier indicating that the at 5Q The method according to claim 2, wherein a plurality 

least one request has been issued by the at least one of D f devices are coupled to the storage system by an 

the plurality of devices. interconnect, and wherein the method further comprises the 

2. The method according to claim 1, wherein the step of s t e ps 0 f: 

authenticating further comprises steps of: generating a sequence of random numbers; and 

assigning, at the storage system, an expected identifier for 55 distributing random numbers from the sequence of ran- 

each one of the series of requests expected to be dom numbers among the plurality of devices, 

initiated by the device; n Xh e method according to claim 2, wherein a series of 

prior to initiation of each of the series of requests by the one or more transactions is exchanged by the device and the 

device, forwarding the expected identifier associated storage system, and wherein the method further comprises a 
with each request firom the storage system to the 60 step of validating each of the series of transactions to ensure 

device; and that the contents of each of the transactions are not altered 

for each request received at the storage system, comparing during transit. 

an identifier received with the request to the expected 13. The method according to claim 12, wherein each 

identifier associated with the request to authenticate the transaction comprises a request issued from the device to the 
request. 65 storage system and a response issued firom the storage 

3. The method according to claim 2, wherein the step of system to the device, and wherein the step of validating 
selectively servicing each request includes a step of for- further comprises steps of: 
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maintaining, at the storage system, a first checksum of encrypted expected identifier, and wherein the step of issu- 

data forwarded to the device when servicing the series ing the request includes a step of forwarding the encrypted, 

of transactions; expected identifier to the storage system, 

receiving, at the storage system, a second checksum from 20 ' ne method accordin e to claim }7, wherein the device 

the device, the second checksum reflecting the data 5 and the storage system are coupled by a network, and 

receivedbythedeviceduringtheseriesof transactions; therein the method further includes a step of .ssuing he 

. J ° request from the device to the storage system over the 

, t network. 

comparing the first checksum and the second checksum to 2 1. The method according to claim 20, wherein the step 

validate the series of transactions. D f issuing the request further includes a step of issuing the 

14, The method according to claim 12, wherein the step 10 request from the device to the storage system according to 
of validating further comprises steps of: a Fibre Channel protocol. 

maintaining, at the storage system, a first checksum of 22. The method according to claim 17, wherein the 

data received from the device when servicing each storage system comprises a plurality of disk devices appor- 

transaction in the series of transactions; honed into a plurality of volumes, and wherein the step of 

receiving, at the storage system, a second checksum from 15 ™ ludes a % * * e a J ^ast one request to 

the device, the second checksum reflecting the data b *^ ed ! oon t e °* ^nhty of volumes m the plurality 

c j j t. *u j • j. ■ *u * * f of disk devices to the storage system, 

forwarded by the device during the series of transac- ^ ^ method according * 0 ^ „ whcrcm ^ device 

tions, and ^ a processor coupled to the storage system over a 

comparing the first checksum and me second checksum to 20 network, and wherein the step of issuing the at least one 

validate the series of transactions. request includes a step of forwarding the request from the 

15. The method according to claim 12, wherein the step host processor to the storage system over the network 
of validating further comprises steps of: according to a Fibre Channel protocol. 

maintaining, at the device, a first checksum of data 24. The method according to claim 17, wherein the device 

forwarded to the storage system when forwarding a 2 5 is a file server coupled to the storage system over a network, 

series of transactions; and w herein the step of issuing the at least one request 

receiving, at the device, a second checksum from the i,clud <? «J« ■?* of fo^rding the request from the file 

storagt system, the second checksum reflecting the data 10 ^ge system over the network according to 

. • i ,|_ , . i • a. • r a Fibre Channel protocol, 

received by the storage system during the series 01 * r * * • i j 

^ J . b 1 6 25. A host computer for use m a computer system includ- 

, ' t t , , , . , a storage system having a plurality of storage devices, 

comparing the first checksum and the second checksum to and a Qetwork ^ ^ ^ host to tne storage 

validate the series of ^ transactions system, the host computer comprising: 

16 The memod according to claim 10, wherein the step a ^ ^ ^ e a| ^ Qne 

of validating further comprises steps of: tQ ^ {n &{ ^ Qne ^ 

maintaining, at the device, a first checksum of data sequent request to the storage system; and 

received from the storage system in the series of a ^ ^ at ^ QDe fequest for acoess {Q ^ 

transacUons; storage system, the at least one request including the at 

receiving, by the device, a second checksum from the lcast one expected identifier to indicate that the request 

storage system, the second checksum reflecting the data ^ ^ bcing j^^j by ^ host computer. 

forwarded by the storage system during the series of 2 6. The host computer according to claim 17, wherein the 

transactions; and controller issues a series of requests to the storage system, 

comparing the first checksum and the second checksum to each request in the series of requests including a different 

validate the series of transactions. expected identifier. 

17. A method for managing access by at least one of a 4S 27. The host computer system according to claim 25, 
plurality of devices to a storage system coupled to the at further comprising an encrypter to encrypt the expected 
least one of a plurality of devices by a network, the storage identifier included in the at least one request. 

system including a plurality of storage devices, the method 28. The host computer system according to claim 25, in 

comprising steps of: combination with the storage system and a network that 

receiving, from the storage system, at the at least one of 50 couples the host computer to the storage system. 

the plurality of devices, at least one expected identifier 29. The combination according to claim 28, wherein the 

to be included in at least one subsequent request issued network operates according to a Fibre Channel network 

by the at least one of the plurality of devices to the protocol. 

storage system to indicate that the at least one of the 30. The combination according to claim 28, in combina- 

plurality of devices issued the request; and 55 tion with at least one additional host, wherein the at least one 

issuing, from the at least one of the plurality of devices, additional host includes: 

at least one request to the storage system, the at least a port to receive at least one additional expected identifier 

one request including the at least one expected identi- to be included in at least one subsequent request from 

fier indicating that the at least one request has been the at least one additional host to the storage system; 

issued by the at least one of the plurality of devices. 60 and 

18. The method according to claim 17, wherein the step a controller to issue at least one request from the at least 
of issuing further comprises a step of: one additional host to the storage system, the at least 

issuing, from the device, a series of requests to the storage one request including the additional expected identifier, 

system, wherein each request in the series of requests 31. The combination according to claim 30, wherein the 

includes a different expected identifier. 65 controller of the at least one host and the controller of the at 

19. The method according to claim 17, further comprising least one additional host both issue requests according to a 
a step of encrypting the expected identifier to provide an Fibre Channel network protocol. 
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32. The combination according to claim 28, wherein the means for comparing a checksum received from one of 
storage system comprises a plurality of disk devices. me plurality of devices against the checksum main- 

33. The combination according to claim 28, wherein the laked >t uc d - M unit for the one of the 
host computer is a file server. , ... . A . ■ .-.-^ CJ . 

34. A storage system comprising: 5 P luraht y of devices 10 <k«™"»e the valld "y of data 
at least one storage device; and received from the one of the plurality of devices. 

an adapter to interface the storage system with a plurality +*• 1,16 storage system according to claim 34, in combi- 

ofdevices coupled to the storage system, the adapter to natio , n the P lurali, y of d « vic f a ° etwo * 

transmit to the at least one of the plurality of devices at <™pl<*the storage system to the plurality of devices, 

least one expected identifier, and to receive the at least io , 45 - ™ e combination accordmg to claim 44 wherein the 

. j j ■ i j j * .i * i_ network operates according to a Fibre Channel protocol, 

one expected identifier included in at least one subse- ^ ne £ ^ tQ ^ M ^ 

quent request from the at least one of the plurality of a , least Qne storage &Bvkc indudes at least one ^ ddve 

devices to indicate that the at least one of the plurality 47 combination of claim 44, wherein one of the 

of devices has issued the request, so that the adapter plurality of devices is a host processor, 

authenticates the at least one request from the at least 48. The combination of claim 44 wherein one of the 

one of the plurality of devices to verify that the at least plurality of devices is a file server, 

one request was issued from the at least one of the 49. An adapter for use in a device to authenticate a 

plurality of devices; and connection between the device and a storage system, the 

wherein the adapter is arranged to selectively forward the 20 ada P ter comprising: 

at least one request to the at least one storage device for a slructure comprising at least one entry to store at 

servicing responsive to authentication of the at least least one uni <l ue identifier provided by the storage 

one request. s y stem i m6 

35. The storage system according to claim 34, wherein the a controller to issue at least one request to the storage 
adapter operates to forward the at least one request to the at 2 system, wherein the request includes the at least one 
least one storage device responsive to authenticating that a unique identifier, thereby indicating that the at least one 
device indicated as having issued the at least one request is request is being issued from the device, so that the 
the device that actually initiated the request. storage system can use the at least one unique identifier 

36. Tne storage system according to claim 34, whereinthe 3Q to authenticate me connection between the device and 
adapter operates to prevent the at least one request from ^ st0 SYS tem 

being forwarded to the at least one storage device responsive __ _ 7 , ■ i . t1 

to determining that a device indicted as having issued the 50 , Tne ada P ter ■?»*«* to ^ 49 > wherem ( •»» 

at least one request is not the device that actually initiated co ° tro " er l 88 " 68 * 861168 °. f to ^ e stora E^ff > 

the request a wherein each request in the senes of requests includes 

37. The storage system according to claim34, wherein the 35 a di f ™ l °f of at \ east °^ »"ique identifiers, 
adapter further includes an authentication table to store . 31 ^ ada P ter <"»>«*"g «° d™ «, ^r compns- 
authentication information for each of the plurality of m 8' 

devices. an encrypter to encrypt the at least one unique identifier 

38. The storage system according to claim 37, wherein the prior to forwarding the at least one identifier with the at 
authentication table comprises, for at least one of the plu- least one request. 

rality of devices, a list including at least one expected 52. The adapter according to claim 49, wherein the at least 
identifier, with the at least one expected identifier being one request comprises a packet of data comprising a phi- 
associated with at least one request to be received from the rality of fields, wherein the packets are formatted according 
at least one device. 4S to the Small Component System Interconnect (SCSI) 

39. The storage system according to claim 37, further protocol, wherein one of the plurality of fields of the packet 
comprising: is a session identifier field, and wherein the controller 

a random number generator, coupled to the authentication includes the at least one unique identifier in the session 

table, the random number generator generating identifier field of the at least one request 

expected identifiers for inclusion in the list. 50 53. The adapter according to claim 52, further means for 

40. Tne storage system according to claim 37, further extracting a new unique identifier from a packet received 
comprising* from the storage system, and means for storing the new 

an encrypter, coupled to the authentication table, to umq^ntifier m the oata structure. 

I *t_ , j -j * *l i* * 54. The adapter according to claim 49, further compns- 

encrypt the expected identifiers in the list. r ° r 

41. Ihe storage system according to claim 37, further 55 . . , , 

„ • • a digital signature unit to maintain a checksum of data 

comprising: b °^ 

a comparator to compare at least one authentication reoeived from the stora S e svstem m res P onse to °» at 

identifier received from the at least one device against kasl one re ^ 6St t0 vaMda,c that data was 001 

the at least one expected identifier in the list. dunn S translt - 

42. Tfce storage system according to claim 34, further 60 . 55 ada P ter aocoldm 8 t0 claim 54 ' further """P*" 

comprising: 

a digital signature unit, coupled to the adapter, to maintain means for forwarding the checksum to the storage system; 

a checksum of responses forwarded from the storage means for receiving status information from the storage 

system to one of the plurality of devices. es system indicative of whether the checksum forwarded 

43. The storage system according to claim 42, whereinthe by the adapter matched a checksum generated at the 
adapter further comprises: storage system; and 
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means, responsive to the status information, for re -issuing 
the at least one request by the adapter. 

56. The adapter according to claim 49, in combination 
with the storage system and a network that couples the 
adapter to the storage system. 

57. The combination according to claim 56, wherein the 
network is a Fibre Channel network. 

58. The combination according to claim 56, wherein the 
storage system includes at least one disk drive. 
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59. The adapter according to claim 49, in combination 
with a host processor and a network, wherein the adapter 
couples the host processor to the network. 

60. The adapter according to claim 49, in combination 
with a file server and a network, wherein the adapter couples 
the file server to the network. 
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